Bug or just Cloudflare's feature?

danonanon · June 12, 2020, 9:52pm

The @eris post about 15 year cloudflare cert pushed me to try it. Why not, I thought? A 15 year cert is worth it.

So I got a cert from cloudflare. Set it in hestiacp panel with no problem. Enabled full strict, waited and my site worked fine… Okay I thought, but then I tried to log into the panel…cp.mydomain.com:2083 and… it showed me Error 526 Ray ID: 5a26bbe6referfer3d7984ec • 2020-06-12 21:41:05 UTC ## Invalid SSL certificate
Okay! Set just Full in cloudflare and the panel came back. To sum up

When I set CF cert for cp.mydomain.com it’s okay till I enable Full Strict.
But when I enable Full Strict, then I lose my access to cp.mydomain.com:2083
When I set CF cert for both mydomain.com and cp.mydomain.com (on which my panel is) and enable full strict, then works only mydomain.com and I lose my access to cp.mydomain.com:2083 BUT cp.mydomain.com works fine, but cp.mydomain.com:2083 not.
When set CF cert for just mydomain.com, enable full strict then I have no access to cp.mydomain:2083 as well

What do you think?
It’s not so critical cause I still have access to https://ipserver:2083 so I can control the panel from there. Just wanted to understand why it happened. Maybe some limitation with ports on subdomains from the CF side? Or it’s a bug…

rmjtechnologies · June 12, 2020, 10:04pm

Hi @danonanon,
Try to add the Cloudflare Origin Certificate in Server->Configure->SSL and it should work fine with strict mode

danonanon · June 12, 2020, 10:25pm

Hello! I deleted all the certs from domains, restarted the server. Went to Server-Configure-SSL but there was (and still is) cert. I tried to delete, but with no success.

Looked at /usr/local/hestia/data/users/mydomain/ssl there was nothing
Looked at /usr/local/hestia/data/users/admin/ssl there was nothing
But in server-configure-ssl there was still cert… Okay

Tried Full strict and failed again. So I started to look where it can be saved… found /usr/local/hestia/ssl/ and found cers there and just deleted but it turned out that they were not CF certs…so now I have no access to panel at all. Okay I’ll reinstall hestia in the morning and set from the start the CF cert in server -configure and will look how it will be working. Thanks

eris · June 12, 2020, 10:44pm

See https://docs.hestiacp.com/admin_docs/ssl_certificates.html#

You should be able to just past the ssl certificates in the locations

certificate.crt  
certificate.key

certificate.crt contains the both the certificate that you get with the function and the root certificate you can find a link in the documentation

The key should be the secret key you get by Cloudflare…

rmjtechnologies · June 13, 2020, 5:26am

Hi @danonanon,
You didn’t had to delete certificates in all places.

The certificate you set in Web section is for the website hostname.website.com but the certificate that you set in Server->Configure->SSL is for Hestia hostname.website.com:2083.

I think earlier you had self-signed certificate for Hestia which wouldn’t work with Cloudflare strict mode, you can see a description next to strict mode in Cloudflare which says Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server

danonanon · June 13, 2020, 7:40am

@rmjtechnologies yes, hestiacp gives me its cert but the way you say to change the cert from the hestiacpanel isn’t right. It doesn’t allows you to change it, at least in the last verstion of Hestiacp
@eris your guide works! Thank you guys. Add it please to the documentation if possible.